Int. J. Risk Assessment and Management, Vol. 7, No.

8, 2007 1089

111
2 The COSO ERM framework: a critique from systems
3 theory of management control
4
5
6
7 Dermot Williamson
8 Lancaster China Management Centre,
9 Lancaster University Management School, Lancaster University,
1011 Lancaster, LA1 4YX, UK
1 E-mail: d.williamson@lancaster.ac.uk
2
3 Abstract: COSO’s (2004) framework on Enterprise Risk Management (ERM)
makes a valuable contribution to the emerging practice of ERM, but suffers
4 serious limitations. It fails to provide a workable standard for identifying ERM
5 effectiveness. Its definition of ‘risk’ diverts attention from opportunities and
6 from uncertainties that fall outside its closed rational systems perspective. By
7 taking a command and control approach, it ignores shared management of
8 uncertainties with external parties and social implications of ERM. As a result,
threats will be created if this framework is widely followed, which seems likely
9 as ERM is institutionalised within regulations, professional practice and
2011 expected norms of good management.
1
2 Keywords: enterprise risk management; ERM; institutions; management
3 accounting; management control; systems theory.
4 Reference to this paper should be as follows: Williamson, D. (2007) ‘The
5 COSO ERM framework: a critique from systems theory of management
6 control’, Int. J. Risk Assessment and Management, Vol. 7, No. 8, pp.1089–1119.
7
8 Biographical notes: Dermot Williamson’s academic career focuses on
management control and risk management within its cultural context. Previously
9 he worked for Shell in various accounting and finance roles in the UK,
30 Netherlands, Malaysia and Hong Kong. His research, based at the Lancaster
1 China Management Centre, includes: management control and risk management;
2 Chinese culture and institutions and their impact on management and control;
3 research methodology, including grounded theory and middle-range
methodologies. He teaches management accounting, management control and
4 financial accounting at Lancaster and Heriot-Watt Universities, and at
5 Thunderbird and Heilbronn graduate schools of management.
6
7
8
9 1 Introduction
40
1 Risk management is now firmly established on the agenda of managers and boards of
2 directors (Dickson, 2003; EIU, 1995), and it is of concern to public sector managers in the
3 UK (HM Treasury, 2004). Minds have been focused by, for example, requirements and
4 recommendations for reporting on risk and risk management in the UK (ASB 2005; FRC
5 2003), requirements in Germany (Dobler, 2005; Kontrag, 1998), and requirements for the
6 financial sector in the EU (European Union, 2003).
711
8

Copyright © 2007 Inderscience Enterprises Ltd.

 1090 D. Williamson

111 Enterprise risk management (ERM) is the management of qualitative as well

2 as quantifiable risks for a whole organisation, including operational, compliance and
3 reporting risks (COSO, 2004; Kleffner et al., 2003; Meagher and O’Neil, 2000).
4 ERM is being institutionalised as expected practice by regulations (e.g. Basel
5 Committee, 2004; FRC, 2003; FSA, 2005), by professional bodies (AIRMIC IRM
6 ALARM, 2002; ICAEW, 1999a; IIA – UK, 2004), and by expectations raised by
7 practitioner publications (Chapman, 2003; Kleffner et al., 2003; Lam, 2000;
8 PricewaterhouseCoopers, 2004). The Committee of Sponsoring Organisations of the
9 Treadway Commission in the USA, has issued direction and guidance for ERM in its
1011 ‘Enterprise Risk Management – Integrated Framework’ (COSO, 2004). It addresses a gap
1 in operational risk, which is less developed than credit and market risks in the financial
2 services industry (Basel Committee, 2003; Murphy, 2001). This latest COSO framework
3 builds on its earlier (1992) ‘Internal Control – Integrated Framework’, which has been
4 reflected in the UK’s Turnbull Guidance (FRC, 2003) and has influenced the SEC (2003)
5 in the USA in its regulations for reporting under section 404 of the Sarbanes-Oxley Act
6 2002. The COSO framework on ERM looks likely to be equally influential. This article is
7 a critique of the ERM framework, aiming to show its contributions, limitations and
8 implications.
9 Among other criticisms made here of COSO’s (2004) ERM framework, this paper
2011 criticises its definition of ‘risk’. The term ‘uncertainty’ is therefore generally used here in
1 preference to ‘risk’, although phrases such as ‘risk management’ and ‘risk attitude’ are
2 unavoidable. Uncertainty is used to mean threats and opportunities, and uncertain events
3 whose outcomes cannot be identified as either threats or opportunities. It includes
4 quantitative uncertainty as well as events whose likelihood cannot be quantified.
5 The next two sections of this article set the scene by describing COSO’s ERM
6 framework within a context of growing concern about uncertainty and of how it relates to
7 management control. Section 4 sets out the theoretical framework for the paper by
8 explaining how the systems theory of management control exposes areas of uncertainty to
9 analysis. The fifth section starts the critique by outlining some of the achievements of
30 COSO’s framework. This is followed by a critical comparison of COSO’s definition to
1 other concepts of ‘risk’. Section 6 applies general systems theory of multiple levels of
2 analysis to COSO’s framework. Sections 7 to 10 examine the framework from four
3 different systems perspectives. Section 11 uses open natural systems analysis to shows
4 how COSO’s (2004) framework, while helping entities manage uncertainties, could create
5 threats to these organisations and to wider society. The conclusions section summarises
6 the main findings and implications.
7
8
9 2 Uncertainty and COSO’s ERM framework
40
Uncertainty is endemic. It is a prerequisites for profit (Knight, 1933) and creates the need
1
for strategy, whether in the commercial, voluntary, or government sectors.
2
Reactions to rail accidents in the UK at Paddington and Hatfield demonstrate public
3
and political anxiety for safety, which has led to the restructuring of the UK rail industry.
4
Growing social concern about threats such as ‘mad cow’ disease, MRSA infected
5
hospitals, and anti-social behaviour have made risk the concern of politicians. Risk
6
management now straddles the divide between public and private sectors (Froud, 2003;
711
HM Treasury, 2004).
8
 The COSO ERM framework 1091

111 Some claim that business uncertainty is increasing (ICAEW, 2002; ICAEW and The
2 Risk Advisory Group Ltd, 2004), while others show that perceptions of uncertainty are
3 changing (Adams, 1995; Beck, 1992; Giddens, 1991; 1999). Corporate concerns reflect
4 not only desire to lower costs of capital (ICAEW, 1999b), but also increasing demands by
5 stakeholders for accountability that uncertainty is managed (Cadbury Committee, 1992;
6 Spira and Page, 2003). Some authors claim that this concern about uncertainty is
7 overtaking concern about wealth creation and profit (Beck, 1992), and that attitudes to
8 threats define contemporary society (Bernstein, 1996).
9 COSO sets out to give an ERM framework for managing this uncertainty, providing
1011 “key principles and concepts, a common language, and clear direction and guidance”
1 (COSO, 2004, p.v). It has eight components. First is the internal environment, which sets
2 the tone for the organisation, influencing the risk consciousness of its members. Objective
3 setting is the second component, in which strategy and objectives are aligned with risk
4 attitudes. Thirdly, threats and opportunities are identified by reference to the objectives.
5 Risk assessment is the fourth component, in which events that could adversely affect
6 attainment of objectives are assessed in terms of likelihood and potential impact. Fifthly,
7 responses are made to these assessed threats. The remaining components are control
8 activities, information and communication, and monitoring of risk management processes.
9 The COSO (2004) ERM framework has developed from a risk based approach to
2011 control (Power, 2000; Spira and Page, 2003) that became prominent with COSO’s (1992)
1 earlier framework on internal control. It marks a shift in focus from internal control to
2 ‘risk’. The earlier 1992 framework put risk assessment as an integral component of
3 internal control. The 2004 framework has risk management as a purpose for internal
4 control. The closeness of these concepts is shown by Blackburn, who maintains that any
5 distinction between internal control and risk management is artificial, which arises from
6 separating risk management and internal control from business activities (Spira and Page,
7 2003). It is for this reason that management control theory is used here to analyse COSO’s
8 (2004) ERM framework.
9
30
1 3 ERM and management control
2
3 COSO’s (1992) internal control framework gave a wide definition of internal control as a
4 process designed to provide reasonable assurance of achieving objectives concerning
5 effectiveness and efficiency of operations, financial reporting, and compliance with laws
6 and regulations. Academic theories of management control embrace use of resources
7 (Anthony, 1965) and influencing behaviour (Fisher, 1995; Flamholtz, 1996; Merchant,
8 1998) towards achievement of organisational objectives, adjustment of those objectives
9 (Otley, 1994; Simons, 1990), and survival within a changing environment (Berry et al.,
40 2005b; Lowe and Chua, 1983). So, if compliance with laws and regulations and financial
1 reporting are seen as part of the objectives for an organisation, internal control in the wider
2 sense used by COSO (1992) falls within academic theories of management control.
3 Much management control theory has come from management accounting (Macintosh
4 1994; Otley, 1994). These disciplines share many quantitative techniques for handling
5 uncertainty including expected values, decision trees and real options. Examples also
6 include risk based cost of capital for capital investment decision theory (Drury, 2000;
711 Garrison et al., 2003) and for residual income (Emmanuel and Otley, 1976; O’Hanlon and
8
 1092 D. Williamson

111 Peasnell, 1998). However, use of qualitative estimates of likelihood (e.g. Harris, 1999) is
2 of greater interest in evaluating COSO’s (2004) ERM framework because of the
3 framework’s qualitative approach. Systems theory of management control has much to say
4 about qualitative uncertainty.
5
6
7 4 Systems theory of management control
8
9 A feature of general systems theory is that systems can be analysed at many levels.
1011 Boulding’s (1956) classic work identifies a hierarchy of levels at which systems can be
1 understood. So management control is a system at several levels. It is a cybernetic control
2 process (Otley and Berry, 1980) that may give some assurance that an objective or
3 standard is achieved. At a higher level, management control is a system of mutually
4 supporting control mechanisms including cybernetic control processes (Flamholtz, 1996).
5 These may together give some assurance of achieving several objectives for an
6 organisation (Anthony, 1965). Systems at still higher levels can be seen in management
7 control processes to maintain an organisation within its relationships with other
8 organisations (Berry, 2005) and its wider social setting (Lowe, 1971; Machin, 1983).
9 Finally management control can be seen as a body of practice that helps maintain society
2011 with its many organisations (Berry et al., 2005a; Kelly, 1994). Each higher level of
1 systems analysis shows management control concerned with a wider range of
2 uncertainties, ranging from the uncertainty of a cybernetic predictive model to
3 uncertainties about how society develops.
4
5 4.1 Cybernetic and other closed rational views of management control
6
7 Management control theorists contrast closed rational systems to open and natural systems
8 views of management control in order to expand insight into the organisational and social
9 implications of control systems (Collier, 2001; Collier and Berry, 2002; Macintosh, 1994).
30 This analysis explains the expanding range of uncertainties identified in ascending levels
1 of general systems theory of management control. Otley et al. (1995) use Scott’s (1981)
2 analysis of open versus closed and natural versus rational systems to explain the
3 development of research into management control. It is illustrated in Figure 1.
4 Cybernetic systems form a basic unit of management control theory and fall into the
5 closed rational quadrant of Figure 1. Cybernetics is control theory that uses communication
6 (Wiener, 1948) of either feedback or feed forward loops to relate output of a process to
7 inputs and how the process is carried out. It attempts to manage uncertainty within a
8 process. Cybernetic control explains results control, where information about
9 the process output stimulates adjustments so that results are kept within acceptable
40 parameters. It includes action control in which adjustments are made either to rules and
1 constraints over people’s behaviour that constitutes the process (Emmanuel et al., 1990;
2 Merchant, 1998), or to the technological design of how the process is carried out (Collin,
3 1995). Cybernetic control can also indicate a need to change the standard that a process is
4 intended to achieve (Otley and Berry, 1980).
5
6
711
8
 The COSO ERM framework 1093

111 Figure 1 Systems views of management control theory, based on Otley et al. (1995)
2
3
4
5
6
7
8
9
1011
1
2
3
4
5
6
7
8 Other examples of closed rational system theories of management control include Ouchi’s
9 bureaucratic control mechanisms (1979), Taylorism and scientific management
2011 (Thompson, 1967). A further example is agency theory, which is restricted to views of a
1 principal and an agent and is directed towards achieving the principal’s objectives (Jensen
2 and Meckling, 1976).
3 Bounded rationality begins to show limitations of these closed rational views of
4 management control: managers usually have neither the time nor capacity to attend to all
5 the input data that a mechanistic model implies are needed to achieve objectives for an
6 organisation (March and Simon, 1993); uncertainty as well as information complexity
7 from human interaction make unrealistic the assumptions of closed rational control
8 systems. For example, cybernetic control cannot optimise objectives at the higher systems
9 level of a human organisation (Otley and Berry, 1980).
30
1 4.2 Open rational systems view of management control
2
The open rational systems view, of the top left quadrant in Figure 1, sees uncertainty not
3
only within an organisation but also in the outside environment: for example prices,
4
demand and competitors are uncertain. Contingency theory shows that there is not ‘one best
5
way’ to design the management control for organisations, for the optimum design depends
6
on how management control can fit external contingencies (Otley, 1980). External
7
uncertainty increases the difficulties of optimising, or perhaps even of ‘satisficing’,
8
objectives for an organisation: survival may become the overriding organisational objective
9
for management control (Berry et al., 2005b; Lowe and Chua, 1983; Thompson, 1967).
40
Management control researchers have recently studied control between organisations
1
towards shared objectives (Berry, 2005; Hakansson and Lind, 2003; Langfield-Smith and
2
Smith, 2003; Seal et al., 2004; Tomkins, 2001). This control may be between supplier and
3
customer in a long-term supply arrangement, between networks of organisations, or within
4
strategic alliances. Broadening the concept of management control beyond the boundaries
5
of an organisation increases the scope of uncertainty about which external and internal
6
actors are involved, what information is available to whom, and the extent of their
711
influence over events.
8
 1094 D. Williamson

111 4.3 Closed natural systems view of management control

2
The bottom right hand quadrant of Figure 1 returns to uncertainties within the
3
organisation, but raises new uncertainties over what people within it are trying to achieve.
4
Closed rational systems theories of management control are concerned with people’s
5
behaviour (Emmanuel et al., 1990; Tannenbaum et al., 1974), and possibilities for social
6
control (Hopwood, 1974) including developments of Ouchi’s (1979) clan control.
7
Checkland (1993) distinguishes soft systems, which involve people, from hard systems,
8
which can be rationally engineered to achieve known objectives. Soft systems, even if they
9
are purposively designed, are subject to vagueness and ambiguity of objectives. This
1011
imprecision arises from negotiation when setting objectives (Cyert and March, 1992), from
1
interpretation of the objectives, and from variable acceptance of objectives and of processes
2
to address them (Berry et al., 1985; Ezzamel and Willmott, 1998).
3
Management control researchers identify the politics of management control. They
4
find that accounting, as part of accountability, is seen both as a means to control
5
competing interests, and as an exercise of political power by those who set the conditions
6
of accountability (e.g. Berry et al., 1985; Burns, 2000; Dent, 1991; Dermer, 1986; Munro
7
and Mouritsen, 1996; Roberts and Scapens, 1985).
8
Management control within natural systems perspectives is largely subjective. The
9
need for control, its objectives, means and extent are subject to a variety of opinions.
2011
These views are frequently inconsistent. Institutional theories show how the legitimacy of
1
views and the legitimacy of action are at least as important for political survival as
2
achieving objectives (Burns and Scapens, 1999; Collier, 2001; Dent, 1991).
3
4
5 4.4 Open natural systems view of management control
6
The top right hand quadrant of Figure 1 depicts management control theory that recognises
7
uncertainties external to the organisation as well as uncertainties about objectives.
8
Strategy and organisation theorists have shown that organisations can influence the
9
environment where they operate (Hedlund and Rolander, 1990; Prahalad, 1999). This
30
turns contingency theory on its head. Instead of an entity rationally seeking effectiveness
1
by responding to the external demands and constraints within its environment, it can seek
2
to modify these contingencies.
3
Besides uncertainty emanating from the external environment, there is uncertainty of
4
how the environment will react to managers seeking to influence external contingencies
5
for their organisation. This is a system of mutual interaction between the organisation and
6 its environment. For example, management control research into relationships between
7 companies (e.g. Hakansson and Lind, 2003; Langfield-Smith and Smith, 2003) inquires
8 into these uncertainties of management control that transcends a single organisation.
9 New institutional theory shows how organisations respond not just to rational demands
40 of their stakeholders and regulators, but also to coercion of external political forces and
1 demands for legitimacy, to mimetic forces of best practice, and to normative forces of
2 professionally accepted practice (DiMaggio and Powell, 1991). Researchers show how
3 control and accounting practices are influenced by these institutional forces of society, and
4 in turn influence the organisations where they are practiced (Brignall and Modell, 2000;
5 Dent, 1991). This analysis shows that organisations seek not only rational optimisation of
6 economic goals set by their stakeholders, but also political survival within society amid
711 competition for legitimacy (Hogler and Hunt, 1993; Meyer and Rowan, 1977).
8
 The COSO ERM framework 1095

111 Institutional theory traces influence by organisations over their social environment. It
2 shows how accounting influences the society that accounting purports to serve (Covaleski
3 et al., 2003; Miller and O’Leary, 1987; Puxty et al., 1987). Besides providing information
4 to audiences within and outside an organisation, for them to make economic decisions and
5 to regulate transactions, accounting also shapes the reality that it reports on (Hines, 1988;
6 Preston, 1995). Similarly, management control not only serves managers, stakeholders
7 and society, it also plays a part in the social construction of value, organisations and
8 society itself (Miller and O’Leary, 1987; Neimark and Tinker, 1986; Roslender, 1995).
9
1011
1 5 Contributions of COSO’s ERM framework
2
3 COSO’s (2004) ERM framework makes some important contributions to understanding
4 the practice of ERM, and how entities can implement an ERM system. These contributions
5 show that the framework can be an important aid to managing the complex uncertainties
6 that organisations face.
7 The 2004 framework responds to the growing focus of corporate governance
8 pronouncements on risk management (FRC, 2005; Kontrag, 1998; SEC, 2005). The
9 membership of COSO, namely the American Accounting Association, American Institute
2011 of Certified Public Accountants, Financial Executives Institute, Institute of Management
1 Accountants, and The Institute of Internal Auditors, gives authority to its considered views
2 on how ERM should be implemented. This framework serves as a definitive statement of
3 what ERM is, applying to all entities in the public, private and voluntary (not-for-profit)
4 sectors, and in non-financial industries as well as financial industries. It may come to be
5 accepted as a standard for how ERM should be implemented.
6 COSO (2004) elevates the status of ERM, putting it firmly among key management
7 functions. It subsumes internal control within ERM that now stands as a purpose for
8 internal control. By developing qualitative management of uncertainty, it enhances the
9 status of operational risk, which has been relatively underdeveloped compared for
30 example to quantifiable credit and market risk within the banking industry (Basel
1 Committee, 2003; Murphy, 2001).
2 The COSO framework sets out to give “a common language and clear direction and
3 guidance” (COSO, 2004, p.v) for ERM implementation, with a glossary of defined terms.
4 The principle of a common language is widely recognised as a key success condition for
5 implementation of ERM within organisations (Banham, 2003; Barlow, 2000; IIA – UK,
6 2003; Reast, 1996), being essential for cross-functional communication and shared
7 understanding of enterprise-wide uncertainties.
8 COSO (2004) can serve as a template to help researchers. Its terminology can support
9 communication with ERM practitioners, and help researchers relate their work to ERM
40 practice.
1 The variety of disciplines from where ERM has grown, such as finance, banking,
2 insurance, actuaries, accounting, and internal and external audit (see Appendix D
3 – Selected Bibliography of COSO, 2004; Pickford, 2001), have brought various
4 understandings of what risk is and how it can be managed. Nevertheless the COSO
5 terminology has some serious limitations as a common language for ERM.
6
711
8
 1096 D. Williamson

111 6 Definitions
2
3 COSO defines risk as “The possibility that an event will occur and adversely affect the
4 achievement of objectives” (COSO, 2004, p.124). This is close to an everyday meaning of
5 risk as “a chance or possibility of danger, loss, injury or other adverse consequences”
6 (Allen, 1990, Concise Oxford Dictionary, p.1040). However, many disciplines such as
7 economics (Knight, 1933; Lipsey and Chrystal, 2004), finance (Arnold, 2002; Shapiro,
8 1999) and several authors on risk management (AIRMIC IRM ALARM, 2002; HM
9 Treasury, 2004; Sobel and Reding, 2004; Sull, 2005) use risk to include the possibility of
1011 both positive and adverse outcomes, arguing for example that managers need to pay at
1 least as much attention to opportunities as to threats (Kelly and Weber, 2005), or that
2 limiting risk management to possibilities of negative events can blind managers to failures
3 in following up on possibilities (Outram, 2005). Defining risk in terms of negative
4 outcomes also gives an immediately negative ring to the concept of risk management,
5 which various authors (Banham, 2003; Kelly and Weber, 2005; Meagher and O’Neil,
6 2000; White, 2004) try to dispel.
7 Another difference between the definitions is whether risk goes beyond probabilities that
8 can be quantified with either an objective measurement (Gigerenzer, 2002; Knight, 1933) or
9 a subjective estimate (CIMA, 2000). The COSO definition, by including qualitative
2011 likelihood, broadens the scope of risk management to qualitative techniques and to
1 uncertainties for which likelihood cannot be quantified. Arguably, it is the qualitative
2 threats, such as strategic and reputation risks, that pose the greater challenge to managers,
3 because they are harder to assess, and very often represent greater threat to the survival
4 of an entity.
5 These possibilities for the scope of risk are shown in Figure 2. In this diagram, the
6 COSO (2004) scope of risk management falls into the left hand column of unfavourable
7 potential outcomes or ‘threats’. Many economists, such as Knight (1933) restrict risk to
8 the top row of threats and opportunities with a quantifiable likelihood. Professional
9 accounting pronouncements give a variety of definitions of risk. The Chartered Institute
30 of Management Accountants (CIMA, 2000) extends the scope of Knight’s definition to
1 include subjective estimates of threats and opportunities. Auditing standards generally
2 refer only to threats (IFAC, 2005). But the UK accounting standard FRS5 (ASB, 1998)
3 defines risk as all uncertainty about potential gains and losses, that is with the scope of all
4 six boxes of Figure 2.
5 The COSO (2004) definition of ‘risk’ raises a problem of scope that is apparent from
6 cybernetic control theory. What is adverse to achievement of objectives depends upon
7 what standard is used for measuring these achievements. A potential outcome may be
8 closer or further away from objectives according to whether progress is measured in terms
9 of, for example, the previous week, month or year, and whether progress is relative to a
40 budget, forecast or plan. This is not an issue of mere semantics, as COSO’s ERM
1 framework sets out a different process for opportunities than for threats: opportunities are
2 fed back into strategy and objective setting and so avoid processes of risk assessment,
3 selecting risk responses and control activities.
4
5
6
711
8
 The COSO ERM framework 1097

111 Figure 2 Scope of alternative definitions of risk

2
3
4
5
6
7
8
9
1011
1
2
3
4
5
6
7
The distinction between opportunities and ‘risks’ in COSO’s framework (2004) creates at
8
least two difficulties. Firstly, to channel opportunities but not threats to strategy and
9
objective setting would be to deprive this process of vital information, because it is
2011
difficult to imagine the pursuit of any strategy or objective that does not present some
1
threat as well as opportunity. The second difficulty is that an event can have both positive
2
and negative outcomes. Although the framework recognises such events (COSO, 2004,
3
pp.4, 16, 22 and 47), they appear to fall outside all of the framework definitions including
4
those for ‘risk’ and ‘opportunity’. It is difficult to imagine any opportunity that does not
5 threaten some cost or negative possibility, while many threats offer the possibility of some
6 opportunity. The scope of this ambiguity between opportunity and ‘risk’ is therefore
7 considerable.
8 COSO (2004) claims to offer a common language of ERM. Yet its definition of ‘risk’
9 invites confusion, creating uncertainty about what falls within its scope. This obscures the
30 scope of ERM.
1 In order to avoid confusion, this critique uses the word ‘uncertainty’ for all events that
2 are not certain, irrespective of whether their impact is favourable, unfavourable, a mixture,
3 or unclear whether the outcome may be favourable or unfavourable. It represents all six
4 boxes in Figure 2.
5
6
7 7 The ERM framework as a closed rational system
8
9 The systemic nature of ERM described by COSO (2004) can be seen in the
40 interdependencies between its eight components, and in how they together are intended to
1 serve objectives. It is a purposive system designed to achieve objectives. The systems
2 model of management control, illustrated in Figure 1, is used here to show the limitations
3 of COSO’s (2004) framework.
4 COSO’s (2004) framework does not examine formulation of the organisational
5 objectives towards which ERM is designed to provide assurance. Strategy and objectives
6 are given; they are imposed by senior managers as principals. This is a rational systems
711 view, such as described in cybernetic and agency theories.
8
 1098 D. Williamson

111 7.1 Internal focus of COSO’s ERM framework

2
COSO’s (2004) ERM framework, with its purposive design and control within the entity,
3
is predominantly a closed system. Admittedly, COSO (2004) takes pains to emphasis the
4
importance of external ‘risks’, calls for attention to information from outside the entity and
5
lists roles and responsibilities of external auditors and other external parties. Yet the focus
6
of COSO is in several important respects on what happens within the organisation. Firstly,
7
what was called the ‘control environment’ in COSO’s (1992) Internal Control framework,
8
is now termed the ‘internal environment’, which diminishes the importance of cultures,
9
norms and social expectations outside the organisation for how uncertainty is viewed and
1011
managed.
1
Secondly, COSO (2004, pp.8 and 83) maintains that external parties cannot be
2
responsible for ERM effectiveness. While one can understand that an entity’s board and
3
management should not attempt to diminish their responsibility for ERM when delegating
4
responsibilities to outsiders, it is difficult to understand why they should not delegate
5
ERM tasks to others and hold these outsiders accountable, in the same way that managers
6
may delegate tasks within their organisation. Examples are many of outsourced tasks that
7
contribute to ERM effectiveness, including outsourced physical security, assessment by
8
consultant actuaries of pension risk, uncertainties shared with insurers and counter-parties
9
for hedging instruments, and monitoring by outsourced internal audit functions and safety
2011
experts. While directors and managers remain responsible for managing these outsourced
1
tasks, and are held accountable if the outsiders fail in these tasks, the outsiders are
2
accountable to those who hired them if they fail in ERM supporting tasks. Curtailing the
3
scope of ERM responsibilities to insiders within an organisation is unrealistic.
4
A third example of this internal focus of COSO (2004) appears in the extent that ERM
5
can give assurance of achieving objectives. Its framework describes how reasonable
6
assurance can be given of achieving reporting and compliance objectives. This is similar to
7
COSO’s earlier (1992) Internal Control framework. But in the 2004 framework, ERM can
8
provide reasonable assurance, not that strategic and operational objectives will be achieved,
9
but only that the board and management are aware of the extent that the entity is moving
30
towards achievement of these objectives. The reason given for this retreat is that
1
“achievement of strategic objectives and operations (sic) objectives, however, is subject to
2
external events not always within the entity’s control” (COSO, 2004, p.5), and “there is a
3
difference when it comes to strategic and operations objectives, because their achievement
4
is not solely within the entity’s control. . . . It is subject to external events, . . . where an
5
occurrence is beyond its control” (ibid., p.39). This assumption that what occurs within an
6 organisation can be controlled by management of the organisation, and what happens
7 outside cannot, is challenged by those who use open systems analysis.
8 It seems that the ‘reasonable assurance’ offered by the COSO (2004) ERM framework
9 is intended to be some absolute standard, perhaps referring to a reasonable manager,
40 auditor, investor or other stakeholder.1 Yet the framework seems to have ignored an
1 obvious solution to the paradox of how ERM can provide reasonable assurance of
2 achieving objectives where management has only limited control over the means for
3 achieving these objectives. ‘Reasonable’ might refer to what level of assurance could
4 reasonably be expected given the difficulty of achieving a particular objective. For
5 example, users of a company’s financial statements might expect 100% assurance that
6 these statements in all material respects report a true and fair view. Reasonable assurance
711
8
 The COSO ERM framework 1099

111 for operational and strategic objectives might fall to a lower level of likelihood depending
2 upon how challenging these objectives are: safety standards might reasonably be expected
3 to be achieved with a higher likelihood than, for example, maintaining industry leadership
4 for customer service. What is reasonable assurance therefore depends upon the nature
5 of the objective and what standard of assurance is expected. The framework leaves
6 considerable uncertainty over what amounts to reasonable assurance for any particular
7 objective or source of uncertainty, but its demarcation between controllable and
8 uncontrollable implies an absolute standard. When controllability is seen to merge into
9 degrees of influence, reasonable assurance softens into subjectivity that allows the scope
1011 of control and risk management to extend to strategic and operational objectives for which
1 management has only a degree of influence. The scope of ERM can then also step beyond
2 the boundaries of the organisation.
3
4
7.2 Effectiveness of ERM
5
6 Effectiveness is an inherently cybernetic concept, implying results control of outputs
7 against some standard. The concept of effective ERM is important within COSO’s (2004)
8 framework, appearing within its rationale for both ERM and the framework itself. The
9 notion of effectiveness appears 188 times in the framework document and a further 52
2011 times in the accompanying Application Techniques. Effective risk management is also
1 central to the Turnbull Guidance in the UK Combined Code (FRC, 2005), which requires
2 directors of listed companies to report that they have reviewed the effectiveness of their
3 system of internal control.
4 COSO specifies three criteria for ERM effectiveness. The first is that the eight
5 components (internal environment, objective setting, event identification, risk assessment,
6 risk response, control activities, information and communication, and monitoring) must be
7 present and functioning effectively. Secondly there should be no material weaknesses, and
8 thirdly risks should be brought within the entity’s risk appetite. Management control
9 theory throws light on each of these criteria.
30
1 7.2.1 The eight components are present and functioning effectively
2 Mere presence of the eight components suggests a ‘box ticking’ approach to assessing
3 effectiveness, which has come in for criticism, at least within the UK (Hayward, 2003;
4 Mawji. 2004).
5 This criterion is an example of action control, such as bureaucratic control
6 mechanisms that Ouchi (1979) describes as an alternative to results controls. Action
7 controls can be benchmarked against industry best practice or acceptable practice. They
8 can be evaluated by skilled assessors, knowledgeable in the activities and standards for
9 how work should be done. But action controls do not assess directly whether a process is
40 effective, for that requires results control of identifying whether it achieves some purpose
1 (Berry et al., 2005b). It leads back to whether the overall ERM process is effective.
2
3
7.2.2 No ‘material weakness’
4 Unfortunately COSO (2004) does not define ‘no material weakness’, its second criterion
5 of effectiveness. Perhaps COSO was influenced by the US Public Company Accounting
6 Oversight Board (PCAOB, 2004) and SEC (2003) which regulates how companies should
711 report on the effectiveness of their internal financial control under the Sarbanes-Oxley Act
8
 1100 D. Williamson

111 2002. The PCAOB’s audit standard AS2 defines material weakness as deficiencies in
2 internal control that have more than a remote likelihood of resulting in material
3 misstatements in financial reports, while the SEC similarly relates material weakness to
4 threat of material misstatement. ‘Material weakness’ is thus identified by both likelihood
5 and magnitude of financial impact. Perhaps COSO intends its ‘material weakness’ within
6 the context of effective ERM to refer both to some real level of likelihood and some
7 material impact. In this case, assessing whether there is ‘no material weakness’ involves
8 difficult risk management judgements about likelihood and impact, which are integral to
9 the risk management process described in COSO’s framework. It is no more than part of
1011 the third criterion, whether ‘risk’ is brought within the entity’s risk appetite.
1
2 7.2.3 Bringing ‘risk’ within the entity’s risk appetite
3 Evaluating whether ‘risk’ is brought with the entity’s risk attitude might be done by
4 comparing residual uncertainties identified in the ERM system to the level of uncertainty
5 of results that is acceptable for the entity. But this is inadequate for evaluating the
6 effectiveness of the entity’s ERM system, because it relies on effectiveness of the system
7 that is being evaluated: it relies in particular on the risk assessment component of ERM.
8 Therefore, unless entities employ skilled assessors of residual risk, which will be
9 considered with monitoring of ERM, this and the other two criteria lead to the question of
2011 whether the overall ERM system is effective.
1 An obvious, but not perfect, solution is to use results control; that is to compare actual
2 ex post outcomes to residual uncertainties identified ex ante in the ERM process. It is not
3 perfect because waiting until outcomes can be measured ex post makes the evaluation too
4 late for input to management of events leading to those outcomes. It is also limited as a
5 management tool for outcomes yet to happen, because uncertainties of low frequency but
6 high impact events usually have insufficient history to give an indication of how they are
7 likely to unfold in the future. Yet, despite its limitations, results controls for ERM may be
8 the best available objective measure of ERM effectiveness. We have to live with
9 considerable uncertainty about the effectiveness of ERM systems.
30
1 7.2.4 Monitoring of ERM
2 COSO’s monitoring component of its ERM framework (2004) includes both monitoring
3 of ERM processes by management responsible for those processes, and separate
4 evaluations by others such as internal auditors. Both forms of monitoring may contribute
5 to assurance about the effectiveness of an entity’s ERM system. They require various
6 skills, such as knowledge of the type of risk management processes being monitored and,
7 in the case of evaluations by internal auditors, independence from managers responsible
8 for the processes.
9 Evaluating the effectiveness of ERM and its components requires judgement (COSO,
40 2004, pp.7 and 24). Like all judgements, this is an opinion and cannot be based on
1 objective facts alone. It must weigh up values and beliefs, if only to prioritise between
2 competing standards, interests and evidence. Ouchi’s (1979) theory about clan control
3 shows the role that values and beliefs can play in management control, including induction
4 of staff in an organisational culture, professional training and inculcation in an ethos
5 (Abernethy and Stoelwinder, 1995). Clan control is particularly useful where the output is
6 difficult to measure for results control, and where there is insufficient knowledge about the
711 process for action control (Macintosh, 1994; Ouchi, 1977). Just as results control of the
8
 The COSO ERM framework 1101

111 level of assurance provided by ERM processes is difficult, there is insufficient knowledge
2 about precisely how ERM processes contribute to reasonable assurance for anyone to
3 design an objective standard for action control of how ERM should be done.
4 COSO (2004) recognises the importance of organisational culture and values in its
5 component of ‘internal environment’, and hence of the sort of control mechanisms that fall
6 within clan control. However, it fails to recognise the inherent subjectivity in evaluating
7 control effectiveness: for example, “The concept of a subjective judgment as to the
8 presence and functioning of the eight components has been removed, on the grounds that
9 the judgment can be objective, based on the principles of this framework” (ibid., p.117).
1011 It does not grapple with the subjectivity of assessing whether low frequency high impact
1 events fall within an entity’s risk appetite, or of judgement in monitoring whether ERM
2 processes are contributing to assurance. This subjectivity will be discussed further when
3 looking at ERM as a natural system.
4 To summarise, COSO (2004) describes its ERM framework largely as a closed
5 rational system. It says little about formulating the entity’s objectives and sees ERM
6 processes as internal to an entity. It strives for objectivity that is typical of mechanistic
7 cybernetic control systems. Yet it fails to escape the inherent subjectivity of the notions of
8 controllability, reasonable assurance, risk appetite and control effectiveness.
9 The limitations of this closed rational attempt to describe risk management are shown
2011 by comparing it to the necessary conditions for a cybernetic control system (Otley and
1 Berry, 1980). These are firstly that there is an objective for the system being controlled.
2 COSO’s specification of the purpose for an ERM system has not taken us beyond growth
3 in stakeholder value, which it does not define, reasonable assurance of achieving
4 objectives, which it retreats from for strategic and operational objectives, and bringing risk
5 within an organisation’s risk appetite, which itself depends upon the ERM system. The
6 second condition for cybernetic control is that there is a means for measuring results along
7 dimensions defined by the objective for the system. This is problematic without a clearer
8 specification of measurable objectives. Thirdly, there must be a predictive model of how
9 inputs are transformed into outputs. For ERM there would need to be a model of precisely
30 what combinations of elements in an ERM process produce what outputs of reasonable
1 assurance and ‘risks’ falling within the entity’s risk appetite. The fourth condition requires
2 a choice of relevant actions available to whoever is attempting to gain control of the
3 system. Only this condition is met. The possibilities are limitless of what sorts of ‘internal
4 environment’, event identification and risk assessment techniques, risk responses, control
5 activities, information and monitoring can be used for ERM. The impossibility of knowing
6 precisely how these are transformed into attainment of several un-measurable objectives
7 for an ERM system, make control of ERM in a cybernetic sense unattainable.
8
9
40 8 The ERM framework as an open rational system
1
2 Although the COSO (2004) framework sets out to manage external as well as internal
3 uncertainties, it envisages a definite boundary between what is inside and what is outside
4 an entity. In doing so, it fails to recognise uncertainty about where this boundary may be.
5 Firstly as already mentioned, much management of uncertainty for an entity may be done
6 by people who are not employees of the entity. Secondly, although COSO (2004) attempts
711 to write a normative standard for all organisations, it glosses over relationships between
8
 1102 D. Williamson

111 external contingencies and the sort of uncertainties that an entity faces, and hence how it
2 can best manage these uncertainties. These problems are examined in turn.
3
4
8.1 Permeable boundaries
5
6 “The boundaries of an organization and the boundaries of the control function are not
7 necessarily co-terminus” (Otley et al., 1995, p.S40). Gains from an organisation
8 outsourcing activities are made at the expense of losing some control. With outsourcing,
9 vertical command and control gives way to contract control, to lateral negotiation of
1011 objectives, standards and resources, to sharing of uncertainties and information between
1 organisations, to mutual dependencies, and to mutual responsibilities. Management control
2 researchers show how inter-organisational control merges into influence and trust (Berry,
3 2005; Hakansson and Lind, 2003; Langfield-Smith and Smith, 2003; Seal et al., 2004;
4 Tomkins, 2001). At the same time, outsourcing, joint development of businesses and of
5 products, and alliances are seen as a strategy for managing uncertainties (Sull, 2005).
6 The omission from COSO’s (2004) framework of managing uncertainties between
7 entities diverts attention from an increasingly important area of risk management, and
8 narrows the scope of ERM. Also, as discussed above, COSO’s denial of any responsibility
9 by people outside an organisation for the entity’s ERM confuses the nature of
2011 responsibility. It reinforces the focus of the framework on what happens within the entity.
1 Consequently the scope of ERM and responsibility for ERM are confused, diminishing the
2 value of this framework as a common language.
3
4 8.2 External environment
5
6 COSO (2004) bravely attempts to provide a standard of effective ERM for all types of
7 businesses and entities, whether in the private, public or voluntary sectors. Organisation
8 theory has long recognised the effect of contingencies in an organisation’s external
9 environment on its structure and how it is managed (e.g. review by Scott, 1981), and
30 management control researchers have shown the effect of external contingencies on
1 control within an organisation (Brignall and Modell, 2000; Fisher, 1995; Otley, 1980;
2 Spicer and Ballew, 1983). External contingencies may impact in similar ways on
3 perceptions of how an entity can best carry out ERM. Besides the usual contingencies such
4 as entity size, diversification, type of technology and amount of uncertainty in the entity’s
5 environment, more specific features of this uncertainty may affect perceptions of ERM.
6 Stakeholders’ attitudes to uncertainty have affected the structure of private finance
7 initiative (PFI) projects in the UK (Froud, 2003), which in turn may have affected
8 incentives for how managers of these projects manage uncertainties. The extent that
9 banks’ uncertainties are quantifiable, and the importance of relating threats to their need
40 for capital, are reasons why banks are have generally advanced further than the non-
1 financial sector in developing ERM. Development of the Basel II requirements (2004),
2 reflecting governments’ and international attitudes to systemic threats to banking systems,
3 are also a driving force for, as well as reflection of, banks’ relatively advanced
4 development of ERM.
5 Contingency theory indicates that there is not one way that is best for all entities
6 (Otley, 1980). If this applies to ERM as it does to performance and control, COSO’s
711 (2004) “one size that fits all” normative statement on ERM cannot define best practice for
8
 The COSO ERM framework 1103

111 all entities. What is seen as acceptable practice for one entity may be viewed as woefully
2 inadequate for another.
3
4
5 9 The ERM framework as a closed natural system
6
7 The closed rational system view reinstates the assumption that entities have definite
8 boundaries, but focuses on uncertainties that people bring to organisations by
9 reinterpreting or challenging objectives.
1011
1
9.1 Emergent strategy
2
3 The closed natural system view relaxes the assumption that strategy and objectives are
4 rationally and deliberately formulated. For example, Mintzberg et al. (1998) describes
5 strategy that emerges unplanned from the challenges and contradictions that managers
6 face. Emergent strategies draw on a wider set of information about operations, customers,
7 suppliers and the outside environment than is available to, or can be comprehended, by
8 senior management with their limited time and bounded rationality. Emergent strategies
9 clash with, modify and merge with deliberate strategies in learning processes to form the
2011 strategies that an entity actually realises. In contrast, the COSO (2004) framework is based
1 on a view that strategy is set deliberately: for example, “Whatever term is used, such as
2 ‘mission’, ‘vision’, or ‘purpose’, it is important that management – with board oversight
3 – explicitly establish the entity’s broad-based reason for being. From this, management
4 sets strategic objectives, formulates strategy, and establishes related operations,
5 compliance and reporting objectives for the organization” (COSO, 2004, p.35).
6 It is not the intention here to criticise deliberate strategy. Without rational planning by
7 senior management of intended strategy, the actual strategy that emerges may lack
8 coherence and direction. However, the COSO view, that emergent strategy is either
9 irrelevant or does not exist, is unrealistic. Emergent strategy challenges the COSO view
30 that ERM is purposively designed.
1 An implication of emergent strategy for the ERM framework is that strategy and
2 objective setting draw on identification of opportunities and threats by all levels of
3 management. Also it builds on all risk management processes, such as assessment of
4 opportunities and threats and monitoring, as well as risk identification. Although COSO
5 (2004) describes the eight components of its framework as interrelated, Mintzberg’s
6 (1998) view of emergent strategy shows how strategy and objective setting are more
7 intertwined with the other seven components than is apparent from reading the framework.
8 Emergent strategy itself creates uncertainties. As emergent strategy is only partially
9 planned, as with soft systems (Checkland, 1993), there is uncertainty about what direction
40 it will take in the future (Balogun and Johnson, 2005). Although management may take
1 care that strategies are consistent, there will always be doubt as to whether total
2 consistency is achieved, and about how much effort is wasted by pursuing incompatible
3 goals. COSO (2004) does not discuss uncertainty of strategy and objectives. Moreover,
4 these uncertainties do not neatly fit readily into COSO’s framework with its event
5 identification, because they are largely unidentifiable ex ante, arising not from identifiable
6 events but from collision of strategies with unforeseable future events.
711
8
 1104 D. Williamson

111 9.2 Beyond ‘top down’ management

2
COSO (2004) views management as proceeding from the top to the bottom of an entity,
3
with commands cascading down the organisation. For example, “By focusing first on
4
strategic objectives and strategy, an entity is positioned to develop related objectives at an
5
entity level, . . .Entity-level objectives are linked to and integrated with more specific
6
objectives that cascade through the organisation to sub-objectives” (COSO, 2004, p.36),
7
and “A critical challenge is to delegate only to the extent required to achieve objectives”
8
(ibid., p.32). COSO’s command and control view appears also in its narrow definition
9
(ibid., p.61) of ‘control activities’ as “policies and procedures that help ensure
1011
management’s risk responses are carried out”, and of ‘policy’ as “Management’s dictate
1
of what should be done to effect control” (ibid., p.123).
2
The closed but natural systems view of management shows that top down command
3
and control views of management control are inadequate. Behavioural and institutional
4
theorists show that social factors intervene between command and control. COSO (2004)
5
recognises personnel management, such as “the competence and development of
6
personnel” (ibid., p.27), in its ERM component of ‘internal environment’. But this does
7
not go as far as the sense making, interpretation and variable degree of acceptance by staff
8
(Balogun and Johnson, 2005) that intervene between command and control. ERM, like
9
management control, can only work alongside the interests and volition of individuals
2011
(Otley, 2003). Besides top down command, lateral accountability (Munro and Hatherly,
1
1993; Roberts, 1991), and bottom up flow of innovative ideas (Bartlett and Ghoshal, 1993;
2
Gupta and Govindarajan, 1991) can guide activity in organisations . Therefore if the spirit
3
of ERM is to be embedded in an entity’s ethos, rather than ceremonially performed to
4
satisfy top management, an ‘internal environment’ needs to go beyond what is directed by
5
senior management. Top management may have some influence over these social forces,
6
but not control. This not clear from COSO’s (2004) description of ‘internal environment’,
7
which emphasises the ‘tone at the top’ and senior management influencing the risk
8
consciousness of staff. Although some argue that managers can use organisational culture
9
as a control mechanism (Lorsch, 1986), others show how it develops organically within an
30
organisation, and that it is difficult to change without changing the very nature of the
1
organisation (Langfield-Smith, 1995; Smircich, 1983).
2
3
4 9.3 Power and influence
5
Research shows how management accounting is subject to sources of power and influence
6 (Berry et al., 1985; Ezzamel and Willmott, 1998). The potential for political interaction
7 between people with power and competing interests in ERM seem also to be considerable.
8 Because ERM is implicated in allocation of resources and adequacy of capital (Basel
9 Committee, 2004), managers are interested in ERM systems so as to ensure they have
40 sufficient resources to support their operations and fulfil their responsibilities (Power,
1 2003). ERM may also be used in the interpretation of performance, whether outcomes are
2 the result of good management or of uncertain events, which adds to managers’ interest in
3 how risk management is viewed for their areas of accountability. Subjective views of how
4 likely a potential event is, what its impact might be, and how it can be managed, may be
5 influenced by interests and power. There is also subjectivity and political interest in
6 identifying and interpreting the risk attitude for an organisation.
711
8
 The COSO ERM framework 1105

111 Therefore interpretations, human interests and politics intervene between rational
2 intention and implementation of ERM. Possibilities for absolute control give way to a
3 spectrum of influence by managers, which in turn is subject to forces of social interaction.
4 This social aspect is not apparent in COSO’s (2004) description of ERM as an objective
5 process.
6
7
8 10 The ERM framework as an open natural system
9
1011 The top right quadrant of Figure 1, open natural systems, can be used to explore the
1 implications for ERM of uncertainty extending not only to agreement about the objectives
2 for these ERM processes and to the social interaction within an entity, but also the location
3 of an entity’s ERM processes and to the scope of uncertainties that it addresses.
4 Open natural systems views of an organisation include possibilities for it to influence
5 its external environment. The COSO (2004) risk responses of avoiding, reducing, sharing
6 and accepting threats are consistent with an entity choosing which markets to engage in
7 and with which partners to do business. However, an organisation seeking to influence its
8 partners, markets and regulators goes beyond what COSO’s framework describes
9 explicitly. An example is the lobbying by the accountancy profession for limits to be
2011 placed on the liability of auditors. Uncertainty facing an entity extends to how external
1 parties may react to its attempt to influence them.
2 ERM may be practiced by entities in order to seek legitimacy and to respond to
3 expectations that ERM should be part of the panoply of a well managed organisation. For
4 example, ERM may address reputation threat not only by attempting to bring the
5 likelihood and impact of reputation threatening events within an entity’s risk appetite, but
6 also by managers demonstrating to stakeholders that they are doing all that is expected,
7 and by engaging in debate over what society expects from organisations of good repute.
8
9 10.1 Institutionalisation of ERM
30
1 Risk, in the everyday sense of a threat of adverse consequences (Allen, 1990, Concise
2 Oxford Dictionary), is subjective. It can be a social construction of what people
3 collectively fear (Adams, 1995; Dake, 1992; Douglas, 1986). Social attitudes to risk
4 depend upon the economic, cultural and institutional context from which they are viewed
5 (Williamson, 2005b). In contrast COSO (2004) views ‘risk’ as objective: either it exists in
6 terms of likelihood and impact, or it does not.
7 This article opened by explaining how COSO’s (2004) framework is likely to be
8 influential in how ERM is being institutionalised as expected risk management practice.
9 A parallel may be drawn with how accounting has become institutionalised and in turn
40 influences the social construction of expected management practice (Burchell et al., 1980;
1 Covaleski et al., 2003; Meyer and Rowan, 1977; Miller and O’Leary, 1987). However the
2 COSO framework, and similar views such as Basel II (Basel Committee, 2004), are not
3 the only way of viewing risk management. Adams (1995) describes four rationalities for
4 dealing with risk in the everyday sense of threats. These are illustrated in Figure 3. Each
5 of these rationalities combines a ‘myth of nature’ (Dake, 1992) that sees the world and its
6 risks in a particular way, with a set of responses to these threats.
711
8
 1106 D. Williamson

111 Figure 3 Four rationalities of risk (Adams, 1995)

2
3
4
5
6
7
8
9
1011
1
2
3
4
5
6
7 The ‘hierarchist’ rationality sees nature, including the environment, economy and society,
8 as robust up to limits but, when pushed beyond these limits, capable up producing nasty
9 surprises. Hierarchists see the need for regulation to protect mankind from threats. This is
2011 the rationality of regulation and of COSO’s (2004) ERM framework. It is also the
1 rationality within many organisations, which set out to manage threat with policies,
2 procedures, risk officers, internal audit and risk committees. It may tend to favour Ouchi’s
3 (1979) bureaucratic control mechanisms.
4 In contrast, the ‘individualist’ rationality sees the world as generally benign. Risk is
5 variability that creates opportunities for individuals and in particular for entrepreneurs.
6 This rationality favours a market approach to risk management and opposes the deadening
7 hand of regulation. Compared to hierarchists, individualists may tend to focus on Ouchi’s
8 (1979) market control mechanisms.
9 The ‘egalitarian’ rationality sees the need for regulation, not like the hierarchists to
30 protect man from nature, but to protect nature from mankind. Egalitarians argue against
1 those they see as causing pollution or deprivation. This is the view of environmentalists
2 and protest movements against big business, government and globalisation. Compared to
3 hierarchists and individualists, egalitarians tend to rely more on Ouchi’s (1979) clan
4 control mechanisms within their own organisations.
5 The fourth rationality, ‘fatalism’, sees nature as unpredictable or perhaps capricious,
6 and regulation as futile. This may be the view of people too busy or apathetic to form a
7 view about pre-emptive risk management. It may also be a view of those who see that
8 responses to a threat may create new threats, so that the outcome of risk management is
9 unpredictable and not necessarily benign.
40 Each rationality is a paradigm, resting on its own premises, internally consistent and
1 opposed to the rationalities of the other three viewpoints. Arguments and beliefs become
2 institutionalised within bodies of proponents for these causes, identifying what adherents
3 stand for (Douglas and Wildavsky, 1983). Clash and difficult dialogue between opposing
4 rationalities was illustrated in protest by Greenpeace to plans by Shell to dispose its Brent
5 Spar in the Atlantic, and subsequent responses by Shell (Greenpeace, 1996; Shell, 2005).
6 It is impossible for anybody to identify all threats, and bounded rationality limits how
711 many of even the identified threats can be assessed and managed. Each rationality, as an
8
 The COSO ERM framework 1107

111 institutionalised paradigm, filters what threats are seen as important and what responses
2 for managing risk are seen as viable and acceptable (Dake, 1992).
3 Adams (1995) offers a fifth meta-rationality, that respects the four paradigms, but sees
4 that each acts as a check on excesses of the others. The tensions between the four
5 paradigms restrain the excesses of each, whether they be Kafkaesque tyranny by
6 hierarchist bureaucracy, exploitation by individualist marketeers, egalitarian obstruction
7 that limits both economic progress and state sponsored order, or apathetic disinterest that
8 can lead to exploitation and unregulated chaos.
9 Pre-eminence of a single risk management paradigm, such as through institutionalisation
1011 of ERM as recommended by COSO (2004), therefore reduces the restraints by other
1 paradigms. COSO’s hierarchist ERM imposes a rationality of growing stakeholder value
2 through optimal balance between growth, achieving explicit goals and management of
3 threats (these arguments are rehearsed in a survey of risk in The Economist, 2004). Its top
4 down management approach may increase blindness to threats and opportunities that are
5 not seen as compelling by some entities’ senior management, such as perhaps social
6 reactions to welfare of pensioners, pollution of the natural environment, and exploitation of
7 developing world economies (Stiglitz, 2002). Blindness to threats that are apparent from
8 other paradigms of risk management is an example of a threat created by ERM.
9
2011
1 11 The ERM framework creates threats
2
3 Regulating ‘risk’ management and recommending ERM best practice poses some
4 paradoxes. ‘Risk management’ is itself something of an oxymoron: if ‘risk’ is managed,
5 is it still ‘risk’?
6 Despite claims by some authors that ERM systems should identify and address all
7 ‘risks’ (AIRMIC IRM ALARM, 2002; Banham, 2003; Lipworth, 1997; Sobel and Reding,
8 2004), nobody can omnisciently identify the full extent of threats and opportunities
9 (Adams, 1995). The collapse of Long-Term Capital Management in 1998 is an example
30 of ill placed confidence in sophisticated uncertainty management. ERM can lead to false
1 security (Hutter, 2003) and greater vulnerability to events that were not identified as
2 threats. This vulnerability is itself a threat.
3 Creation by ERM of threats may be an example of what is termed “the risk of control”
4 (Berry et al., 2005c), which is the danger that attempts to control uncertainty can stand in
5 the way of anticipation and flexibility. COSO (2004) creates a similar danger in its attempt
6 to manage risk. It does this in several ways. Firstly it may create unjustified confidence
7 that threats are identified. Optimism that all potential events have been identified leads
8 decision makers to over-weight the likelihood of identified events, and hence to bias in
9 risk assessments. This optimism may lead to managers relaxing their look out for the
40 unexpected and moderating their caution when information is unexplained.
1 Secondly, ERM systems may encourage confidence that capital is allocated optimally
2 and resources deployed well for the events that are likely to happen. If this leads to a
3 reduction in organisational slack and buffers capable of absorbing unexpected events, the
4 effect may be to reduce, not increase, resilience.
5 Thirdly, confidence in ERM may lead to managers exposing their entities to new
6 threats, for example to potentially greater volatility of outcomes, in a similar way to how
711 traffic safety regulation may lead to motorists taking new chances (Adams, 1995). Where
8
 1108 D. Williamson

111 this confidence is overly optimistic, the effect may be to increase the likelihood and impact
2 of threats. March and Shapira (1987) show how social pressures on managers to be seen
3 to be good at managing uncertainties, encourage them in ‘managerial conceit’ about their
4 uncertainty managing ability. Also organisational culture may impact on uncertainty
5 management decisions (Helliar et al., 2001) by encouraging over-confidence.
6 Fourthly, confidence in ERM systems may lead to over-reliance on processes rather
7 than on judgement. For example, institutionalisation of ERM may lead to greater attention
8 to implementing perceived best practice than to managing pertinent opportunities and
9 threats (Froud, 2003). Spira and Page (2003) argue that ERM may deflect responsibility
1011 for failure, as managers point to their ERM processes in claiming they are doing all that is
1 expected. A further example of reliance on processes rather than judgement may come
2 from the approach of COSO in its ERM framework. This approach may reduce flexibility
3 of response by placing risk management within defined constraints of policies, procedures
4 and monitoring, by reducing speed of response, and by reducing the limited management
5 attention that is available to scanning for and responding to the unexpected.
6 There are other approaches to management of uncertainty. Whitley (1999) shows how
7
management control systems in some cultures tend to depend more on personal trust rather
8
than systemic trust in formal institutions and procedures. Maruyama (1963, 1974) explains
9
how opportunities can be levered by amplifying volatility that emerges from uncertainties,
2011
rather than by seeking to reduce volatility of outcomes and limiting deviations from
1
expectations. Managers may seek organisational resilience through maintaining flexibility
2
3 and giving greater attention to adapting objectives, rather than focusing on assurance of
4 achieving existing objectives (Williamson, 2005a).
5 The danger that ERM creates new threats can be magnified by institutionalisation of a
6 dominant paradigm, particularly where institutionalisation is through regulation that is
7 consistent with COSO’s (1999, 2004) frameworks. Examples of such ERM regulation
8 include the Turnbull Guidance that is incorporated into the UK’s Combined Code (FRC,
9 2003), regulation by the SEC and PCAOB in the USA to support section 404 of the
30 Sarbanes-Oxley Act 2002, and the Basel II proposals (Basel Committee, 2004).
1 Dominance of a single paradigm of risk management reduces restraints from other
2 paradigms as identified by Adams (1995), by reducing their social legitimacy, and
3 quieting their dissenting voices. Entrenching a single approach to risk management,
4 whether through regulation, political pressure or the fashion of expected best practice,
5 could increase fragility and systemic threats within markets (Danielsson and Zigrand,
6 2003; Jorion, 2005)2 or across society.
7
8
9 12 Conclusions
40
1 12.1 Contributions of COSO
2
3 It is important to recognise the contributions that COSO’s (2004) ERM framework has
4 made. These are important firstly because they deserve recognition in a critique, and
5 secondly they indicate that the framework is likely to command a strong following, which
6 in turn increases the dangers of its limitations.
711
8
 The COSO ERM framework 1109

111 Contributions of COSO’s (2004) framework include setting out a common framework
2 for all entities, in non-financial as well as financial industries, irrespective of whether they
3 are in the public, private or voluntary sectors. The framework raises the profile of ERM,
4 for example by showing how it is a major reason for internal control and management
5 control. It broadens the scope of risk management beyond what is quantifiable and uses
6 ERM to link management within entities to corporate governance. Despite the limitations
7 of its definitions, the framework does offer a terminology that can help establish a
8 common language, which is recognised as critical to implementing ERM. It will probably
9 also be seen, despite its serious limitations, as a standard against which managers can
1011 benchmark their entities and regulators can compare their regulations.
1
2
12.2 Definition of ‘risk’
3
4 COSO’s (2004) exclusion of opportunities from its definition of ‘risk’ is problematic. The
5 distinction between opportunities and threats is artificial, as both threats and opportunities
6 that follow from decisions need to be considered in managing threats, and also in
7 formulating strategies and objectives to exploit opportunities. The distinction is also
8 arbitrary, as it depends on what base is chosen for identifying progress towards or away
9 from objectives. Consequently the scope of risk assessment, selection of risk responses,
2011 and control activities as defined by the framework, is also arbitrary. Exclusion of
1 opportunities from ‘risk’ gives ERM a negative connotation, and can blind managers to
2 threats of failing to follow up on opportunities. It may encourage people to think that ERM
3 does not include pursuit of opportunities. The common language for ERM offered by
4 COSO is both imprecise and unfortunate.
5
6 12.3 Uncertainties that are obscured by the closed rational perspective
7
8 The closed rational systems perspective of COSO’s (2004) framework leaves wide gaps
9 in the range of uncertainties that it addresses. There is firstly the preponderance of threats
30 and opportunities that cannot be analysed because no one is sufficiently omniscient to
1 identify more than a minority of uncertainties, while bounded rationality and time
2 constraints preclude management from analysing all uncertainties that they can identify.
3 Secondly, there is uncertainty from how those inside and outside the entity may react
4 to its ERM processes. The framework, with its linear logic, omits mutual interactions
5 between an entity’s ERM processes and the environment in which it operates. The
6 potential developments of this wider system, of interactions between members of an
7 organisation, its ERM processes, and its external environment, may be largely
8 unknowable and hence contribute to the unidentifiable uncertainties.
9 Thirdly, the COSO (2004) framework is blind to uncertainty over what the objectives
40 for an entity are. These uncertainties are created by emergent strategy, such as from
1 interpretation and negotiation by internal and external stakeholders, and from unforseeable
2 collisions between strategy and practicality.
3 Fourthly, the framework ignores social aspects of risk management. Besides shared
4 interpretation and negotiation of objectives, there is the social construction of which
5 threats command attention, and what risk responses are legitimate (Beck, 1992; Dake,
6 1992; Douglas, 1992b). Politics and power influence which uncertainties appear on
711 management agenda (Hutter and Power, 2000), how uncertainties are responded to, and
8
 1110 D. Williamson

111 how these affect allocation of resources, remuneration and reputations. Uncertainty
2 extends to the social processes of ERM itself.
3 The analysis used here assumes similarities between management control and ERM.
4 Whereas management control is concerned with processes for guiding activity towards
5 aspirations and constraining whatever is feared, ERM is more directly concerned with
6 identifying and managing those fears. It is postulated here that ERM may tend to be more
7 sensitive than management control to how societies construct their values, norms and
8 institutions, for it is concerned with managing the threats that define our institutions
9 (Douglas, 1986), and risks include taboos that define societies (Douglas, 1992a). This
1011 suggests that omission of the social context from COSO’s (2004) framework may have
1 deeper implications than its omission from closed rational views of management control.
2 Fifthly the COSO (2004) framework, in offering a single standard for all entities, does
3 not consider the external contingencies that affect what sort of ERM is suitable and
4 perhaps what sort of ERM is seen as effective. The framework can therefore be no more
5 than a minimum standard. While we cannot expect a single document to specify how
6 contingencies, such as industry, might impact on the design of an entity’s ERM, this
7 omission limits the framework in its aim of identifying the direction that entities can take
8 to improve their ERM. For example, entities in the banking and insurance industries may
9 have demanding regulators such as the FSA (2005) in the UK, and may be expected to use
2011 largely quantitative methods. Other entities may develop standards for reasonable
1 assurance through dialogue with key stakeholders.
2 Finally there is uncertainty in the threats that are created by ERM.
3
4 12.4 Institutionalised ERM creates threats
5
6 COSO’s (2004) ERM framework creates threats wherever it raises unrealistic hope that
7 uncertain outcomes will fall within risk appetites. There are several reasons for this
8 optimism, including the impossibility of identifying all uncertainties, social pressures on
9 managers to be good at managing uncertainties, and over confidence in ERM processes.
30 These processes, such as described by COSO (2004), proposed in Basel II (Basel
1 Committee, 2004), and recommended in the Turnbull guidance (FRC, 2005), are becoming
2 institutionalised as expected norms of good management. They are becoming a paradigm
3 that filters views of what is relevant and important, shapes criteria of acceptable practice,
4 and serve as a criterion for membership of risk management professions. Consequently this
5 view of ERM blinds managers to other paradigms of identifying and managing
6 uncertainties. An implication is that a dominant ERM paradigm could create systemic
7 threats in entities, industries and society, by lowering preparedness for uncertainties that
8 fall outside its vision and by reducing flexibility for absorbing the unexpected.
9
40 12.5 Omitted means for managing uncertainties
1
2 Uncertainties of ERM processes extend to how identified uncertainties are managed.
3 COSO (2004) focuses on control to the exclusion of influence, which is reflected in its
4 view of management as top down command and control. It omits social control within
5 entities such as peer pressure, lateral accountability and organic development of
6 organisational culture. Similarly, the COSO focus on internal process excludes the
711 increasingly important management between entities of shared opportunities and threats.
8
 The COSO ERM framework 1111

111 It ignores the importance of an entity gaining external approval and legitimacy for how it
2 conducts ERM. The framework is similarly blind to the influence and accompanying
3 uncertainties that an entity may have over external stakeholders, markets and regulators,
4 through which it may influence expectations for how it should manage uncertainty. These
5 omissions from the COSO framework leave it insufficient on its own to satisfy
6 stakeholders who look to an entity’s ERM to address their socially constructed fears for
7 its operations.
8
9
12.6 Effectiveness of ERM
1011
1 Much of this critique accuses COSO (2004) of ignoring what lies outside its closed
2 rational systems perspective. However, it is only fair to assess the COSO framework from
3 within its own objectivist premises, such as striving for rational pursuit of known goals
4 and management of objective uncertainties.
5 COSO’s (2004) framework does not amount to an effective cybernetic control system,
6 because it fails to provide three of the four necessary conditions for cybernetic control. It
7 does not provide an objective, for which attainment can be objectively identified.
8 Secondly, there is no predictive model of precisely how components of an ERM process
9 deliver risk management outcomes. Thirdly, there is no measurement of the extent that
2011 ERM objectives are achieved. There can be no measurement of risk management
1 effectiveness, because we do not have an adequate criterion of effectiveness.
2 Of the three criteria for effectiveness of ERM stated in COSO’s (2004) framework, the
3 presence and effective functioning of the framework’s eight components does not show
4 whether these components are effective towards any particular purpose. That and the
5 criterion of no material weaknesses both lead to the third and what must be the
6 overarching criterion, namely whether ERM processes succeed in bringing uncertainties
7 within the risk appetite for an entity. This can be determined through skilled judgement,
8 which, despite denial by the framework, leads back to the subjectivity that the framework
9 eschews. This judgement depends on the assumptions of the particular person who makes
30 it, on his or her interpretation of the ERM processes, what the objectives or mission for
1 the entity are, what is reasonable assurance, and how likely the processes are to give that
2 reasonable assurance towards these objectives. Furthermore, ex ante likelihoods of all but
3 mechanically repetitive outcomes are proven only after they occur, because there is little
4 knowing whether the future will follow past patterns. Even this ‘proof’ is no more than an
5 opinion whether the actual outcome was anticipated ex ante as a possibility of sufficient
6 likelihood. Low frequency events of high impact in particular leave doubt whether results
7 arose from good management or from good luck. So even ex post assessment of
8 uncertainty management requires judgement. The premises, assumptions and values that
9 underlie judgement reintroduce culture and politics of competing interests. Issues of
40 culture and politics are multiplied as consensus is sought on the level of assurance
1 provided by ERM processes. Social factors are irretrievably implicit in assessment of
2 uncertainty management, just as management of threats is woven into the fabric of
3 institutions (Douglas, 1986) and construction of society (Beck, 1992) with its foundation
4 of mutual trust (Giddens, 1990). The image of objective uncertainty management, such as
5 offered by COSO (2004), is a fantasy (Douglas, 1992a).
6 Some may retort ‘So what?’ to criticism that COSO’s (2004) framework fails to
711 address its inherent subjectivity. Some entities’ ERM will inevitably fail stakeholders’
8
 1112 D. Williamson

111 expectations. Stakeholders and observers may blame either bad luck, or incompetence of
2 the failing entities’ managers, or the ERM institutions followed by the entities. They
3 therefore are liable to criticise the framework either for allowing too much subjective
4 judgement, or for raising social expectations that risk management can be sanitised of the
5 uncertainties of subjectivity.
6 COSO’s (2004) framework gives researchers a model of emerging expectations for
7 ERM. They can study how it works out in practice, use it as a model to compare against
8 existing theories, or treat it as a milestone in the evolution of social attempts to manage
9 uncertainty.
1011
1
2 References
3
4 Abernethy, M.A. and Stoelwinder, J.U. (1995) ‘The role of professional control in the management
5 of complex organizations’, Accounting, Organizations and Society, Vol. 20, No. 1, pp.1–17.
6 Adams, J. (1995) Risk, London, UK: Routledge.
7 AIRMIC IRM ALARM (2002) ‘A risk management standard’, http://airmic.com/Downloads/
8 Pubs/AIRMIC_Risk-Management-Standard.pdf., accessed 19/10/2005.
9 Allen, R.E. (1990) The Concise Oxford Dictionary of Current English, Oxford, UK: Clarendon
2011 Press.
1 Anthony, R. (1965) Planning and Control Systems: a Framework for Analysis, Boston, MA:
2 Division of Research, Graduate School of Business Administration, Harvard University.
3 Arnold, G. (2002) Corporate Financial Management, Harlow, UK: Pearson Education.
4 ASB (1998) FRS 5 – Reporting the Substance of Transactions, London, UK: Accounting Standards
5 Board.
6 ASB (2005) RS1 – Operating and Financial Review, London, UK: Accounting Standards Board.
7 Balogun, J. and Johnson, G. (2005) ‘From intended strategies to unintended outcomes: the impact
8 of change recipient sensemaking’, Organization Studies, Vol. 26, No. 11, pp.1573–1601.
9 Banham, R. (2003) ‘The art of measuring risk’, Reactions, Vol. 23, No. 11, p.55.
30 Barlow, S. (2000) ‘Prudential: embedding risk management’, Internal Auditing & Risk Management
1 (September), pp.32–33.
2 Bartlett, C. and Ghoshal, S. (1993) ‘Beyond the M-Form: toward a managerial theory of the firm’,
Strategic Management Journal, Vol. 14, pp.23–46.
3
Basel Committee (2003) Sound Practices for the Management and Supervision of Operational Risk,
4
http://www.bis.org/publ/bcbs96.pdf., accessed 30/5/2004.
5
Basel Committee (2004) International Convergence of Capital Measurement and Capital
6 Standards: a Revised Framework, http://www.bis.org/publ/bcbs107.pdf., accessed 1/6/2005.
7
Beck, U. (1992) Risk Society: Towards a New Modernity, (M. Ritter, trans.), London, UK: Sage
8 Publications.
9 Bernstein, P. (1996) Against the Gods: The Remarkable Story of Risk, New York, NY: Wiley.
40
Berry, A. (2005) ‘Control in networks’, in A. Berry, J. Broadbent and D. Otley (eds) Management
1 Control: Theories,Issues and Performance, Basingstoke, UK: Palgrave Macmillan,
2 pp.230–247.
3 Berry A., Broadbent, J. and Otley, D. (2005a) Management Control: Theories, Issues and
4 Performance, Basingstoke, UK: Palgrave Macmillan.
5 Berry, A., Broadbent, J. and Otley, D. (2005b) ‘The domain of organizational control’, in A. Berry,
6 J. Broadbent and D. Otley (eds) Management Control: Theories, Issues and Performance,
711 Basingstoke, UK: Palgrave Macmillan, pp.3–16.
8
 The COSO ERM framework 1113

111 Berry, A., Capps, T., Cooper, D., Ferguson, P., Hopper, T. and Lowe, E. (1985) ‘Management
2 control in an area of the NCB: rationales of accounting practices in a public enterprise’,
Accounting, Organizations and Society, Vol. 10, No. 1, pp.3–28.
3
4 Berry, A., Collier, P. and Helliar, C. (2005c) ‘Risk and control: the control of risk and the risk of
control’, in A. Berry, J. Broadbent and D. Otley (eds) Management Control: Theories, Issues
5 and Performance, Basingstoke, UK: Palgrave Macmillan, pp.279–299.
6
Boulding, K. (1956) ‘General systems theory – the skeleton of science’, Management Science,
7 Vol. 23, No. 3, pp.197–208.
8 Brignall, S. and Modell, S. (2000) ‘An institutional perspective on performance measurement and
9 management in the “New Public Sector” ’, Management Accounting Research, Vol. 11,
1011 pp.281–306.
1 Burchell, S., Clubb, C., Hopwood, A. and Hughes, J. (1980) ‘The roles of accounting in
2 organizations and society’, Accounting, Organizations & Society, Vol. 5, No. 1, pp.5–27.
3 Burns, J. (2000) ‘The dynamics of accounting change: inter-play between new practices, routines,
4 institutions, power and politics’, Accounting, Auditing & Accountability Journal, Vol. 13,
5 No. 5, p.566.
6 Burns, J. and Scapens, R. (1999) ‘Conceptualizing management accounting change: an institutional
framework’, Management Accounting Research, Vol. 11, pp.3–25.
7
Cadbury Committee (1992) Report of the Committee on the Financial Aspects of Corporate
8
Governance, London, UK: Gee.
9
Chapman, C. (2003) ‘Bringing ERM into focus’, Internal Auditing Magazine, (June).
2011
Checkland, P. (1993) Systems Thinking, Systems Practice, Chichester, UK: John Wiley & Sons.
1
2 CIMA (2000) Management Accounting Official Terminology, London, UK: The Chartered Institute
of Management Accountants.
3
Collier, P. (2001) ‘The power of accounting: a field study of local financial management in a police
4
force’, Management Accounting Research, Vol. 12, pp.465–486.
5
Collier, P. and Berry, A. (2002) ‘Risk in the process of budgeting’, Management Accounting
6 Research, Vol. 13, pp.273–297.
7 Collin, S-O. (1995) ‘The institutional control of the corporation – extending the debate on the
8 separation of ownership from control’, Corporate Governance, Vol. 3, p.3.
9 COSO (1992) Internal Control - Integrated Framework, Jersey City, NJ: Committee of Sponsoring
30 Organizations of the Treadway Commission.
1 COSO (2004) Enterprise Risk Management – Integrated Framework, Jersey City, NJ: Committee
2 of Sponsoring Organizations of the Treadway Commission, AICPA.
3 Covaleski, M., Dirsmith, M. and Samuel, S. (2003) ‘Changes in the institutional environment and
4 the institutions of governance: extending the contributions of transaction economics within the
5 management control literature’, Accounting, Organization and Society, Vol. 28, pp.417–441.
6 Cyert, R.M. and March, J.G. (1992) A Behavioural Theory of the Firm, Cambridge, MA: Blackwell
7 Publishers, 2nd edn.
8 Dake, K. (1992) ‘Myths of nature: culture and the social construction of risk’, Journal of Social
Issues, Vol. 48, No. 4, pp.21–37.
9
40 Danielsson, J. and Zigrand, J.P. (2003) ‘What happens when you regulate risk? Evidence from a
simple equilibrium model’, http://fmg.lse.ac.uk/publications/searchdetail.php?pubid=1&
1 wsid=1&wpdid=425, accessed 2/11/2001.
2
Dent, J. (1991) ‘Accounting and organisational cultures’, Accounting, Organizations and Society,
3 Vol. 16, p. 8.
4 Dermer, L. (1986) ‘The illusion of control’, Accounting, Organizations and Society, Vol. 11, No. 6,
5 pp.471–482.
6 Dickson, T. (2003) Risky Business. EBF on . . . Managing Risk, London, UK: European Business
711 Forum, p.2.
8
 1114 D. Williamson

111 DiMaggio, P.J. and Powell, W.W. (1991) ‘The iron cage revisited: institutional isomorphism and
2 collective rationality in organizational fields’, in W.W. Powell and P.J. DiMaggio (eds) The
New Institionalism in Organizational Analysis, Chicago: University of Chicago Press.
3
4 Dobler, M. (2005) ‘National and international development in risk reporting: may the German
Accounting Standard 5 lead the way internationally?’, German Law Journal, Vol. 6, No. 8,
5 pp.1191–1200.
6
Douglas, M. (1986) How Institutions Think, Syracuse, NY: Syracuse University Press.
7
Douglas, M. (1992a) ‘Risk and Blame’, Risk and Blame: Essays in Cultural Theory, London:
8 Routledge, pp.3–21.
9 Douglas, M. (1992b) ‘Risk and Danger’, Risk and Blame: Essays in Cultural Theory, London:
1011 Routledge, pp.3–21.
1 Douglas, M. and Wildavsky, A. (1983) Risk and Culture, Berkeley, CA: University of California
2 Press.
3 Drury, C. (2000) Management and Cost Accounting, London, UK: Thomson Learning.
4 EIU (1995) Managing Business Risks: An Integrated Approach, New York, NY: Economist
5 Intelligence Unit.
6 Economist (2004) ‘A survey of risk’, The Economist, 24 January, Survey, pp.3–22.
7 Emmanuel, C. and Otley, D. (1976) ‘The usefulness of residual income’, Journal of Business
8 Finance and Accounting, Vol. 3, No. 4, pp.43–51.
9 Emmanuel, C., Otley, D. and Merchant, K. (1990) Accounting for Management Control, London,
2011 UK: Chapman and Hall.
1 European Union. (2003) ‘Directive 2003/51/EC on the annual and consolidated accounts of certain
2 types of companies, banks and other financial institutions and insurance undertakings’,
3 http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!
prod!CELEXnumdoc&lg=en&numdoc=32003L0051&model=guichett, accessed 15/11/2005.
4
5 Ezzamel, M. and Willmott, H. (1998) ‘Accounting for teamwork: a critical study of group-based
systems of organizational control’, Administrative Science Quarterly, Vol. 43, pp.358–396.
6
Fisher, J. (1995) ‘Contingency-based research on management control systems: categorization by
7 level of complexity’, Journal of Accounting Literature, Vol. 14, pp.24–53.
8
Flamholtz, E. (1996) Effective Management Control: Theory and Practice, Norwell MA: Kluwer
9 Academic Publishers.
30 FRC (2003) The Combined Code on Corporate Governance, London, UK: Financial Reporting
1 Council.
2 FRC (2005) ‘Internal control: revised guidance for directors on the combined code’,
3 http://www.frc.org.uk/press/pub0945.html, accessed 21/10/2005.
4 Froud, J. (2003) ‘The private finance initiative: risk, uncertainty and the state’, Accounting,
5 Organizations and Society, Vol. 28, pp.567–589.
6 FSA (2005) ‘Handbook of rules and guidance’, http://fsahandbook.info/FSA/html/handbook/,
7 accessed 7/11/2005.
8 Garrison, R., Noreen, E. and Seal, W. (2003) Management Accounting, Maidenhead, UK:
9 McGraw-Hill Education.
40 Giddens, A. (1990) The Consequences of Modernity, Cambridge, UK: Polity Press.
1 Giddens, A. (1991) Modernity and Self-Identity: Self and Society in the Late Modern Age,
2 Cambridge, UK: Polity.
3 Giddens, A. (1999) Runaway World: How Globalisation is Reshaping Our Lives, London, UK:
4 Profile Books.
5 Gigerenzer, G. (2002) Reckoning With Risk, London, UK: Allen Lane The Penguin Press.
6 Greenpeace. (1996) ‘Greenpeace Brent Spar protest in the North Sea’, http://archive.greenpeace.
711 org/comms/brent/brent.html, accessed 3/4/2006.
8
 The COSO ERM framework 1115

111 Gupta, A. and Govindarajan, V. (1991) ‘Knowledge flows and the structure of control within
2 multinational corporations’, Academy of Management Review, Vol. 16, No. 4, pp.768–792.
3 Hakansson, H. and Lind, J. (2003) ‘Accounting and network coordination’, Accounting,
4 Organizations and Society, Vol. 29, pp.51–72.
5 Harris, E. (1999) ‘Project risk assessment: a European Field Study’, British Accounting Review,
Vol. 31, No. 3, pp.347–371.
6
7 Hayward, J. (2003) Thinking Not Ticking: Bringing Competition to Public Interest Audit, London,
UK: Centre for the Study of Financial Innovation.
8
Hedlund, G. and Rolander, D. (1990) ‘Action in heterarchies: new approaches to managing the
9 MNC’, in G. Hedlund, C. Bartlett and E.C. Doz (eds) Managing the Global Firm, London:
1011 Routledge, pp.15–45.
1 Helliar, C., Lonie, A., Power, D. and Sinclair, D. (2001) Attitudes of UK Managers to Risk and
2 Uncertainty, Edinburgh, UK: Institute of Chartered Accountants of Scotland.
3 Hines, R. (1988) ‘Financial accounting: in communicating reality, we construct reality’, Accounting,
4 Organizations and Society, Vol. 13, No. 3, pp.251–261.
5 HM Treasury (2004) ‘The Orange Book: management of risk – principles and concepts’,
6 http://www.hm-treasury.gov.uk./media/FE6/60/FE66035B-BCDC-D4B3-110
7 57A7707D2521F.pdf, accessed 8/11/2005.
8 Hogler, R. and Hunt, H. (1993) ‘Accounting and conceptions of control in the American
9 Corporation’, British Journal of Management, Vol. 4, pp.177–190.
2011 Hopwood, A. (1974) Accounting and Human Behaviour, Englewood Cliffs, NJ: Prentice Hall.
1 Hutter, B. (2003) ‘Paradoxes for the business leader’, in T. Dickson (ed) EBF on . . . Managing Risk,
2 London, UK: European Business Forum, pp.6–9.
3 Hutter, B. and Power, M. (2000) ‘Risk management and business regulation’, http://www.lse.ac.uk/
collections/CARR/pdf/Risk_Management_and_Business_Regulation.pdf, accessed 9/5/2003.
4
5 ICAEW (1999a) Implementing Turnbull, London, UK: ICAEW.
6 ICAEW (1999b) No Surprises: the Case for Better Risk Reporting, London, UK: Institute of
Chartered Accountants in England & Wales.
7
8 ICAEW (2002) ‘Business risk increasing across all areas, say FTSE500 directors’,
http://www.icaew.co.uk/members/index.cfm?AUB=TB2I_47573,MNXI_47573
9 &fuseaction=doadvanced, accessed 14/9/2004.
30 ICAEW and The Risk Advisory Group Ltd. (2004) Managing Risk Survey 2003: Report of a Survey
1 Amongst FTSE 500 Companies, London, UK: The Risk Advisory Group Ltd. and Institute of
2 Chartered Accountants in England & Wales.
3 IFAC (2005) Handbook of International Auditing, Assurance, and Ethics Pronouncements,
4 http://www.ifac.org/Store/Category.tmpl?Category=Auditing%2C%20
5 Assurance%20%26%20Related%20Services&Cart=111385724931231, accessed 16/2/2005.
6 IIA – UK (2003) Embedding Risk Management into the Culture of Your Organisation, London, UK,
7 IIA – Institute of Internal Auditors – UK and Ireland.
8 IIA – UK (2004) Code of Ethics and International Standards 2004, http://www.blindtiger.co.uk/IIA/
uploads/-470e32aa-fad25fdf5c—7fc2/Standards2004.pdf, accessed 17/5/2004.
9
40 Jensen, M. and Meckling, W. (1976) ‘Theory of the firm: managerial behavior, agency costs and
ownership structure’, Journal of Financial Economics, Vol. 3, pp.305–360.
1
Jorion, P. (2005) ‘The perceived dangers of following the herd’, Financial Times, FT Mastering
2
Risk, 30 September, London, UK, pp.4–5.
3
Kelly, E. and Weber, S. (2005) ‘A delicate balance between risk and reward’, Financial Times, FT
4 Mastering Risk, 9 September, London, UK, pp.2–3.
5
Kelly, K. (1994) Out of Control, London, UK: Fourth Estate.
6
711
8
 1116 D. Williamson

111 Kleffner, A., Lee, R. and McGannon, B. (2003) ‘The effect of corporate governance on the use of
2 enterprise risk management: evidence from Canada’, Risk Management and Insurance Review,
Vol. 6, No. 1, pp.53–73.
3
4 Knight, F. (1933) Risk, Uncertainty and Profit, Boston, MA: Houghton Miflin & Co.
5 Kontrag. (1998) ‘Gesetz zur Kontrolle und Transparenz im Unternehmensbereich’,
http://216.239.37.104/translate_c?hl=en&sl=de&u=http://de.wikipedia.
6
org/wiki/Gesetz_zur_Kontrolle_und_Transparenz_im_Unternehmensbereich&prev=/search%
7 3Fq%3DGesetz%2Bzur%2BKontrolle%2Bund%2BTransparenz%2Bim%2BUnternehmensbe
8 reich%26hl%3Den%26lr%3D, accessed 15/11/2005.
9 Lam, J. (2000) ‘Enterprise-wide risk management and the role of the chief risk officer’,
1011 http://www.erisk.com/Learning/Research/011_lamriskoff.pdf, accessed 26/5/2005.
1 Langfield-Smith, K. (1995) ‘Organisational culture and control’, in A. Berry, J. Broadbent and D.
2 Otley (eds) Management Control: Theories, Issues and Practices, London UK: Macmillan,
3 pp.179–200.
4 Langfield-Smith, K. and Smith, D. (2003) ‘Management control systems and trust in outsourcing
5 relationships’, Management Accounting Research, Vol. 14, pp.281–307.
6 Lipsey, R. and Chrystal, K.A. (2004) Economics, Oxford, UK: Oxford University Press.
7 Lipworth, S. (1997) ‘Risk management at the heart of corporate governance’, Management
Accounting, Vol. 75, p.1.
8
9 Lorsch, J. (1986) ‘Managing culture: the invisible barrier to strategic change’, California
Management Review, Vol. 28, No. 2, pp.95–109.
2011
Lowe, E.A. (1971) ‘On the idea of a management control system: integrating accounting and
1
management control’, Journal of Management Studies, (Feb), pp.1–12.
2
Lowe, T. and Chua, W.F. (1983) ‘Organisational effectiveness’, in T. Lowe and J. Machin (eds) New
3 Perspectives in Management Control, Macmillan.
4
Machin, J. (1983) ‘Management control systems: whence and whither?’, in E.A. Lowe and J.H.J.
5 Machin (eds) New Perspectives in Management Control, Macmillan, pp.22–42.
6 Macintosh, N. (1994) Management Accounting and Control Systems, Chichester, UK: Wiley.
7 March, J.G. and Shapira, Z. (1987) ‘Managerial perspectives on risk and risk taking’, Management
8 Science, Vol. 33, No. 11, pp.1404–1418.
9 March, J.G. and Simon, H. (1993) Organizations, Cambridge, MA: Blackwell.
30 Maruyama, M. (1963) ‘The second cybernetics: deviation-amplifying mutual causal processes’,
1 American Scientist, Vol. 51, pp:164–179.
2 Maruyama, M. (1974) ‘Paradigmatology and its application to cross-disciplinary, cross-professional
3 and cross-cultural communication’, Dialectica, Vol. 28, Nos. 3–4, pp.135–196.
4 Mawji, A. (2004) ‘Management accounting: re-engineered for risk’, Balance Sheet, Vol. 12, No. 3,
5 pp.42–45.
6 Meagher, D. and O’Neil, G. (2000) ‘Enterprise wide risk management’, Accountancy Ireland,
7 Vol. 32, No. 6, pp.10–11.
8 Merchant, K. (1998) Modern Management Control Systems: Text and Cases, Upper Saddle River,
9 NJ: Prentice Hall.
40 Meyer, J.W. and Rowan, B. (1977) ‘Institutionalized organizations: formal structure as myth and
1 ceremony’, American Journal of Sociology, Vol. 83, No. 2, pp.340–363.
2 Miller, P. and O’Leary, T. (1987) ‘Accounting and the construction of the governable person’,
3 Accounting, Organizations and Society, Vol. 12, No. 3, pp.235–265.
4 Mintzberg, H., Ahlstrand, B. and Lampel, J. (1998) Strategy Safari: The Complete Guide Through
the Wilds of Strategic Management, Harlow, UK: Pearson Education.
5
6 Munro, R. and Hatherly, D. (1993) ‘Accountability and the new commercial agenda’, Critical
Perspectives on Accounting, Vol. 4, pp.369–395.
711
8
 The COSO ERM framework 1117

111 Munro, R. and Mouritsen, J. (1996) Accountability: Power, Ethos & the Technologies of Managing’,
2 London, UK: International Thomson Business Press.
3 Murphy, D. (2001) ‘Operational risk and regulatory capital’, in: C. Alexander (ed.) Financial Times
4 Mastering Risk, Volume 2: Applications, Harlow, UK: FT Prentice Hall, pp:239–250.
5 Neimark, M. and Tinker, T. (1986) ‘The social construction of management control systems’,
Accounting, Organizations and Society, Vol. 11, Nos. 4–5, pp.369–395.
6
7 O’Hanlon, J. and Peasnell, K. (1998) ‘Wall Street’s contribution to management accounting: the
Stern Stewart EVA® financial management system’, Management Accounting Research,
8 Vol. 9, pp.421–444.
9 Otley, D. (1980) ‘The contingency theory of management accounting: achievement and prognosis’,
1011 Accounting, Organizations and Society, Vol. 5, No. 4, pp.413–428.
1 Otley, D. (1994) ‘Management control in contemporary organizations: towards a wider framework’,
2 Management Accounting Research, Vol. 5, pp.289–299.
3 Otley, D. (2003) ‘Management control and performance management: whence and whither?’,
4 British Accounting Review, No. 35, pp.309–326.
5 Otley, D. and Berry, A. (1980) ‘Control, organisation and accounting’, Accounting, Organizations
6 and Society, Vol. 5, No. 2, pp.231–244.
7 Otley, D., Broadbent, J. and Berry, A. (1995) ‘Research in management control: an overview of its
8 development’, British Journal of Management, No. 6 (Special issue), pp.S31–S44.
9 Ouchi, W. (1977) ‘The relationship between organizational structure and organizational control’,
2011 Administrative Science Quarterly, Vol. 22, pp.95–113.
1 Ouchi, W. (1979) ‘A conceptual framework for the design of organizational control mechanisms’,
2 Management Science, Vol. 25, No.9, pp.833–848.
3 Outram, R. (2005) ‘You don’t want an omelette’, CA Magazine (October), pp.24–29.
4 PCAOB (2004) ‘AS2 – Auditing Standard No. 2 – an audit of internal control over financial
5 reporting performed in conjunction with an audit of financial statements’,
http://www.pcaob.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf, accessed
6 21/10/2005.
7
Pickford, J. (2001) Financial Times Mastering Risk, Volume 1: Concepts, Harlow, UK: FT
8 Prentice-Hall.
9 Power, M. (2000) The Audit Implosion: Regulating Risk From the Inside, London, UK: Institute of
30 Chartered Accountants in England & Wales.
1 Power, M. (2003) The Invention of Operational Risk, London: The London School of Economics
2 and Political Science.
3 Prahalad, C. (1999) ‘Changes in the competitive battlefield’, Financial Times, Mastering Strategy,
4 October, pp.2–4.
5 Preston, A. (1995) ‘Budgeting, Creativity and Culture’, in: D. Ashton, T. Hopper and R. Scapens
6 (eds) Issues in Management Accounting, Harlow, UK, Prentice Hall Europe, pp.273–297.
7 PricewaterhouseCoopers (2004) ‘How does COSO’s new enterprise risk management framework
8 relate to Sarbanes-Oxley reporting?’, http://www.pwc.com/servlet/pwcPrintPreview?LNLoc=/
extweb/pwcpublications.nsf/docid/483893B552EA388B85256F5D005ACC74, accessed
9
8/10/2005.
40
Puxty, A.G., Willmott, H.C., Cooper, D.J. and Lowe, T. (1987) ‘Modes of regulation in advanced
1 capitalism: locating accountancy in four countries’, Accounting, Organizations and Society,
2 Vol. 12, No. 3, pp.273–291.
3 Reast, J. (1996) ‘Looking at language’, CA Magazine (Scotland), (January), p.47.
4 Roberts, J. (1991) ‘The possibilities of accountability’, Accounting, Organizations and Society,
5 Vol. 16, No. 4, pp.355–368.
6
711
8
 1118 D. Williamson

111 Roberts, J. and Scapens, R. (1985) ‘Accounting systems and systems of accountability
2 – understanding accounting practices and their organisational contexts’, Accounting,
Organizations and Society, Vol. 10, No. 4, pp.443–456.
3
4 Roslender, R. (1995) ‘Critical management accounting’, in D. Ashton, T. Hopper and R. Scapens
(eds) Issues in Management Accounting, Harlow, UK: Prentice Hall Europe, pp.65–86.
5
Scott, W.R. (1981) ‘Developments in organization theory’, American Behavioral Scientist, Vol. 24,
6
No. 3, pp.407–422.
7
Seal, W., Berry, A. and Cullen, J. (2004) ‘Disembedding the supply chain: institutionalized
8 reflexivity and inter-firm accounting’, Accounting, Organizations and Society, Vol. 29,
9 pp.73–92.
1011 SEC (2003) ‘Final rule: management’s reports on internal control over financial reporting and
1 certification of disclosure in exchange act periodic reports’, http://www.sec.gov/rules/final/
2 33-8238.htm, accessed 8/11/2005.
3 SEC (2005) ‘Staff statement on management’s report on internal control over financial reporting’,
4 http://www.sec.gov/info/accountants/stafficreporting.htm, accessed 15/11/2005.
5 Shapiro, A. (1999) Multinational Financial Management, New York, NY, John Wiley.
6 Shell (2005) Tell Shell Forum, http://www.tellshellforum.shell.com/startFrame.aspx, accessed
7 3/4/2006.
8 Simons, R. (1990) ‘The role of management control systems in creating competitive advantage: new
9 perspectives’, Accounting, Organizations and Society, Vol. 15, Nos. 1–2, pp.127–143.
2011 Smircich, L. (1983) ‘Concepts of culture and organizational analysis’, Administrative Science
Quarterly, Vol. 28, pp.339–358.
1
2 Sobel, P. and Reding, K. (2004) ‘Aligning corporate governance with enterprise risk management’,
Management Accounting Quarterly, Vol. 5, No. 2, pp.29–37.
3
Spicer, B. and Ballew, V. (1983) ‘Management accounting systems and the economics of internal
4
organization’, Accounting, Organizations and Society, Vol. 8, No. 1, pp.73–96.
5
Spira, L. and Page, M. (2003) ‘Risk management: the reinvention of internal control and the
6 changing role of internal audit’, Accounting, Auditing & Accountability Journal, Vol. 16,
7 No. 4, pp.640–661.
8 Stiglitz, J.E. (2002) Globalization and Its Discontents, London, UK: Penguin Books.
9 Sull, D. (2005) ‘Emerging markets set the risk standard’, Financial Times, FT Mastering Risk, 16
30 September, London, UK: No. 2–3.
1 Tannenbaum, A., Kavcic, B., Rosner, M., Vianello, M. and Weiser, G. (1974) Hierarchy in
2 Organizations, San Francisco, CA:Jossey-Bass.
3 Thompson, J.D. (1967) Organizations in Action: Social Science Bases of Administrative Theory,
4 New York: McGraw-Hill.
5 Tomkins, C. (2001) ‘Interdependencies, trust and information relationships, alliances and networks’,
6 Accounting, Organizations and Society, Vol. 26, pp.161–191.
7 White, L. (2004) ‘Management accountants and enterprise risk management’, Strategic Finance,
8 Vol. 86, No. 5, pp.6–7.
9 Whitley, R. (1999) ‘Firms, institutions and management control: the comparative analysis of
40 coordination and control systems’, Accounting, Organizations and Society, Vol. 24,
pp.507–524.
1
Wiener, N. (1948) Cybernetics, or Control and Communication in the Animal and Machine, New
2
York, NY: John Wiley and Sons.
3
Williamson, D. (2005a) ‘Managing the key cultural dimensions of control and risk’, European
4 Business Forum, Vol. 21 (Spring), pp.41–45.
5
Williamson, D. (2005b) ‘Management control assurance in the different cultures and institutions of
6 China and the UK’, in D. Brown and A. MacBean (eds) Challenges for China’s Development:
711 An Enterprise Perspective, London, UK: Routledge.
8
 The COSO ERM framework 1119

111 Notes
2
3 1
The SEC. (2005) and US Securities Exchange Act 1934 section 13(b)(7) define ‘reasonable
4 assurance’ as the “degree of assurance that would satisfy prudent officials in the conduct of their
5 own affairs”.
2
6 Although Jorion (2005) identifies the possibility of value at risk models, and other techniques
7 used for managing credit and market risk, creating systemic risk, he concludes that there is no
evidence to date that such systemic risk has appeared.
8
9
1011
1
2
3
4
5
6
7
8
9
2011
1
2
3
4
5
6
7
8
9
30
1
2
3
4
5
6
7
8
9
40
1
2
3
4
5
6
711
8